Encryption data management system and encryption data management method

ABSTRACT

A system includes an agent-side apparatus and an owner-side apparatus. The agent-side apparatus includes a transmission unit for responding to operation inputs from an agent, and a transfer unit for transferring a data processing request to the owner-side apparatus, and transferring a processing result to a management object apparatus. The owner-side apparatus includes a commission condition storage unit in which a commission condition of the agent; an agent authentication unit for authenticating authentication information; a performing unit for performing data processing associated with decryption of an encryption data, when the agent authentication unit normally performs the authentication, and when the data processing request falls within a range of the agent commission condition, upon receiving the data processing request from the agent-side apparatus; and a result transmission unit for transmitting the processing result of the performing unit to the agent-side apparatus.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is related to and claims priority to Japanese patentapplication No. 2008-92699 filed on Mar. 31, 2008 in the Japan PatentOffice, and incorporated by reference herein.

FIELD

The present invention relates to an encryption data management systemand an encryption data management method for managing encryption data,particularly to an encryption data management system and an encryptiondata management method capable of decrypting the encryption data byconnecting a device in which a secret key is stored.

BACKGROUND

Generally, in user authentication with a computer system, verificationis performed between authentication information on each user stored in aserver and authentication information fed from the user. Examples of theauthentication system include a system in which the authentication isperformed by an agent located in a site different from the server and asystem in which the authentication information on an agent is previouslyregistered in the computer system of an operating object and an accessto secret information is permitted to the corresponding agent.

In a system in which higher security is required, sometimes a mechanismin which important information is protected by encrypting data using apublic key is applied in addition to the user authentication. Theencrypted data can be decrypted using a secret key possessed only by anowner of the data. In operation of the public key cryptosystem, thesecret key is incorporated in a tamper-resistant device. Thetamper-resistant device has a structure in which the secret key cannotbe taken out, and the tamper-resistant device has a function ofencrypting/decrypting the data using the secret key. For example, indecrypting the encryption data encrypted with the public key, it isnecessary that, using the secret key, the device decrypt the encryptiondata fed into the device. An IC card can be cited as an example of thetamper-resistant device.

When the secret information is protected by the secret key, in principlean owner of the secret key carries the IC card to go to the site wherethe secret key is required.

In the case where the computer system is operated in a firm or the like,sometimes maintenance and management of the computer system arecommissioned to another firm. Sometimes an access to the secretinformation is required in the maintenance and management work of thecomputer system. Work efficiency is lowered when the owner of thecomputer system brings the IC card to the work site every time theaccess to the secret information is required. Therefore, the ownercommissions, to an agent, the authority of the maintenance andmanagement work in which the secret information is utilized.

However, from the viewpoint of security, it is not desireable that theowner commissions the whole authority to the agent. That is, it isnecessary that the IC card in which the secret key is incorporated belent to the agent when the owner commissions the work in which thesecret information is utilized to the agent. When the owner lends the ICcard to the agent, the agent has the same authority as the owner, and alarge risk is generated for the owner. Sometimes the site where themanagement object system is installed is located far away from theowner. When the owner lends the IC card to the agent who goes to theremote site, the owner seldom monitors the agent which further increasesthe risk.

SUMMARY

According to an aspect of this invention, an encryption data managementsystem includes an agent-side apparatus and an owner-side apparatus tomanage encryption data stored in encryption data storage unit of amanagement object apparatus. The agent-side apparatus includes atransmission unit for responding to operation inputs from an agent totransmit authentication information indicating proxy of the agent to theowner-side apparatus; and a transfer unit for transferring a dataprocessing request including the encryption data to the owner-sideapparatus when the management object apparatus supplies the dataprocessing request, and then transferring processing result to themanagement object apparatus, the processing result corresponding to thedata processing request sent back from the owner-side apparatus. Theowner-side apparatus includes a commission condition storage unit inwhich a commission condition of the agent who uses the agent-sideapparatus is previously stored; an agent authentication unit forauthenticating authentication information when the authenticationinformation of the agent is received from the agent-side apparatus; aperforming unit for performing data processing associated withdecryption of the encryption data included in the permitted dataprocessing request using a previously registered key, when the agentauthentication unit normally performs the authentication, and when thedata processing request falls within a range of the agent commissioncondition indicated by the commission condition storage unit, uponreceiving the data processing request from the agent-side apparatus; anda result transmission unit for transmitting the processing result of theperforming unit to the agent-side apparatus.

Additional objects and advantages of the embodiment will be set forth inpart in the description which follows, and in part will be obvious fromthe description, or may be learned by practice of the invention. Theobject and advantages of the invention will be realized and attained bymeans of the elements and combinations particularly pointed out in theappended claims.

It is to be understood that both the foregoing general description andthe following detailed description are exemplary and explanatory onlyand are not restrictive of the invention, as claimed.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 illustrates an outline of an embodiment;

FIG. 2 illustrates an example of a system configuration of theembodiment;

FIG. 3 illustrates an example of a hardware configuration of an agentdevice used in the embodiment;

FIG. 4 is a block diagram illustrating an encryption data managementfunction;

FIG. 5 illustrates an example of a data structure of a commissioncondition storage unit;

FIG. 6 is a sequence diagram illustrating a processing procedure whendata processing is normally performed;

FIG. 7 is a sequence diagram illustrating a processing procedure whenthe data processing results in an authentication error;

FIG. 8 is a sequence diagram illustrating a processing procedure when anowner IC card is removed;

FIG. 9 is a flowchart illustrating a procedure of processing requestpermission determination processing;

FIG. 10 illustrates an example of connection in which a USB interface isused;

FIG. 11 illustrates an example in which an agent IC card function isincorporated in a device main body;

FIG. 12 illustrates an example of an owner device in which a pluralityof owner IC cards can be used;

FIG. 13 illustrates an example in which plural owner IC card functionsare incorporated in a device main body;

FIG. 14 is a functional block diagram illustrating a system in whichagent authentication is performed by a public key system;

FIG. 15 illustrates an example of a data structure of a commissioncondition storage unit; and

FIG. 16 is a sequence diagram illustrating an authentication procedurein which a public key is used.

DESCRIPTION OF EMBODIMENTS

An embodiment of the invention will be described below with reference tothe accompanying drawings.

FIG. 1 illustrates an outline of an embodiment of the invention.Referring to FIG. 1, an encryption data management system includes amanagement object apparatus 1, an agent-side apparatus 2, and anowner-side apparatus 3 which is connected to the agent-side apparatus 2through a network.

The management object apparatus 1 includes an encryption data storageunit 1 a and a data processing request unit 1 b. The encryption datastorage unit 1 a can be decrypted only with a key 3 a possessed by theowner-side apparatus 3. For example, in the case of the public keysystem, the key 3 a is the secret key, and the encryption data encryptedwith the public key corresponding to the secret key is stored in theencryption data storage unit 1 a. When detecting an access to theencryption data in the encryption data storage unit 1 a, the dataprocessing request unit 1 b transmits a data processing requestincluding the access object encryption data to the agent-side apparatus2.

The agent-side apparatus 2 includes a transmission unit 2 a and atransfer unit 2 b. The transmission unit 2 a transmits authenticationinformation indicating that an agent has proxy to the owner-sideapparatus 3 in response to operation input from the agent. The transferunit 2 b transfers a data processing request to the owner-side apparatus3 when the management object apparatus 1 supplies the data processingrequest including the encryption data. The owner-side apparatus 3 sendsback a processing result in response to the data processing request, andthe transfer unit 2 b transfers the processing result to the managementobject apparatus 1.

The owner-side apparatus 3 includes the key 3 a, a commission conditionstorage unit 3 b, an agent authentication unit 3 c, a processing requestpermission determination unit 3 d, a data processing unit 3 e, and aresult transmission unit 3 f. A performing unit 3 g for performingprocessing includes the key 3 a, the processing request permissiondetermination unit 3 d, and the data processing unit 3 e.

The key 3 a is data which is used to decrypt the encryption data storedin the management object apparatus 1. Verification authenticationinformation for authenticating the agent and a commission condition ofthe agent who uses the agent-side apparatus 2 are previously stored inthe commission condition storage unit 3 b. When receiving theauthentication information from the agent-side apparatus 2, the agentauthentication unit 3 c authenticates the agent who operates theagent-side apparatus 2 based on the authentication information. Theprocessing request permission determination unit 3 d receives the dataprocessing request from the agent-side apparatus 2 to permit processingcorresponding to the data processing request, when the agent whooperates the agent-side apparatus 2 is correctly authenticated, and whenthe processing falls within a range of the agent commission conditionindicated by the commission condition storage unit 3 b. When theprocessing corresponding to the data processing request is permitted,the data processing unit 3 e performs the data processing associatedwith the decryption of the encryption data included in the permitteddata processing request using the key 3 a. The result transmission unit3 f transmits the processing result to the agent-side apparatus 2.

In the encryption data management system, the agent-side apparatus 2transmits the authentication information indicating that the agent hasthe proxy to the owner-side apparatus 3 in response to the inputoperation from the agent. Then the owner-side apparatus 3 authenticatesthe agent who operates the agent-side apparatus 2 based on theauthentication information. When the management object apparatus 1supplies the data processing request including the encryption data, theagent-side apparatus 2 transfers the data processing request to theowner-side apparatus 3. The processing request permission determinationunit 3 d of the owner-side apparatus 3 permits the processingcorresponding to the data processing request, when the agent whooperates the agent-side apparatus 2 is correctly authenticated, and whenthe commission condition of the agent who operates the agent-sideapparatus 2 falls within the range of the agent commission conditionindicated by the commission condition storage unit 3 b. When theprocessing is permitted, the data processing unit 3 e performs the dataprocessing associated with the decryption of the encryption dataincluded in the permitted data processing request. The resulttransmission unit 3 f transmits the processing result to the agent-sideapparatus 2. The agent-side apparatus 2 transfers the processing resultto the management object apparatus 1.

Thus, the owner-side apparatus performs the processing associated withthe decryption of the encryption data within the range of the commissioncondition imparted to the agent, in the case of the data processingrequest made through the agent-side apparatus 2 used by theauthenticated agent. That is, the owner can commission the maintenanceand management of the management object apparatus 1, associated with thedata processing in which the encryption data is used, to the agent whilethe key 3 a is left in the owner-side apparatus 3. As a result, it isunnecessary for the owner to impart the authority to completely freelyprocess the encryption data stored in the management object apparatus 1to the agent, thereby reducing the risk of the information security.

The technique is particularly useful in the case where the managementobject apparatus 1 is remotely installed. This is because the managementobject apparatus 1 is cannot be monitored by the owner when the agentgoes to the remote management object apparatus 1 to perform themaintenance and management.

From the viewpoint of security, preferably the key 3 a of the owner-sideapparatus 3 is stored in the IC card rather than being always stored inthe owner-side apparatus 3, and the IC card is inserted into theowner-side apparatus 3 only when needed. The embodiment will bedescribed below by taking the case in which the key is managed in the ICcard as an example.

First Embodiment

FIG. 2 illustrates an example of a system configuration of theembodiment. The encryption data management system of the embodimentincludes an agent device 100, an owner device 200, and a managementobject system 300. The agent device 100 is a device possessed by anoperator (agent) who performs the maintenance and management of themanagement object system 300 on behalf of the owner. The owner device200 is a device which is installed at a location of the owner ofinformation stored in the management object system 300. The managementobject system 300 is a computer system which retains the information onthe owner, and manages part of the information while the part of theinformation is encrypted with the public key.

The agent device 100 includes a device main body 101, a card-type probe102, and an IC card reader/writer 103. For example, the device main body101 may be a notebook computer. The device main body 101 is connected toa network 10 through a radio base station 40 by a wireless communicationfunction. The agent-side apparatus is formed by adding an agent IC card30 to the agent device 100.

The card-type probe 102 and the IC card reader/writer 103 are connectedto the device main body 101 by a communication method such as USB(Universal Serial Bus). The card-type probe 102 can be inserted in an ICcard reader/writer 302 included in the management object system 300, andthe IC card reader/writer 302 can recognize the card-type probe 102 as ausual IC card. The IC card reader/writer 103 reads data in the insertedagent IC card 30.

The owner device 200 includes a device main body 201 and an IC cardreader/writer 202. For example, the device main body 201 may be acomputer used by the owner. The device main body 201 is connected to thenetwork 10. The IC card reader/writer 202 performs data exchange withthe inserted owner IC card 20. The owner-side apparatus is formed byadding the owner IC card 20 to the owner device 200.

The management object system 300 includes a device main body 301 inwhich the encryption data is stored and an IC card reader/writer 302.For example, the device main body 301 may be a computer which performssecurity management in a large-scale database system. The IC cardreader/writer 302 performs the data exchange through the card-type probe102.

FIG. 3 illustrates an example of a hardware configuration of the agentdevice used in the embodiment. A CPU (Central Processing Unit) 101 acontrols the device main body 101 of the agent device 100. A RAM (RandomAccess Memory) 101 b, a Hard Disk Drive (HDD) 101 c, a graphicprocessing instrument 101 d, an input interface 101 f, anexternal-device connection interface 101 i, and a wireless communicationinterface 101 j are connected to the CPU 101 a though a bus 101 k.

The RAM 101 b is used as a main storage device of the device main body101. At least a part of an OS (Operating System) program and anapplication program, which the CPU 101 a is caused to execute, istentatively stored in the RAM 101 b. Various pieces of data necessaryfor the processing performed by the CPU 101 a are stored in the RAM 101b. The HDD 101 c is used as a secondary storage device of the devicemain body 101. The OS program, the application program, and variouspieces of data are stored in the HDD 101 c. A semiconductor storagedevice such as a flash memory can also be used as the secondary storagedevice.

A monitor 101 e is connected to the graphic processing instrument 101 d.The graphic processing instrument 101 d causes the monitor 101 e todisplay an image on a screen according to a command from the CPU 101 a.A liquid crystal display device may be cited as an example of themonitor 101 e.

A keyboard 101 g and a pointing device 101 h are connected to the inputinterface 101 f. The input interface 101 f transmits a signal sent fromthe keyboard 101 g and pointing device 101 h to the CPU 101 a through abus 101 k. Examples of the pointing device 101 h include a mouse, atouch panel, a tablet, a touch pad, and a track ball.

The external-device connection interface 101 i is a communicationinterface which conducts communication with an external device. A USBinterface may be cited as an example of the external-device connectioninterface 101 i. The card-type probe 102 and the IC card reader/writer103 are connected to the external-device connection interface 101 i.

The wireless communication interface 101 j is a communication interfacewhich can wirelessly conduct data communication. The wirelesscommunication interface 101 j conducts wireless communication with aradio base station 40.

The processing function of the embodiment can be realized by theabove-described hardware configuration. Although FIG. 3 illustrates thehardware configuration of the agent device 100, the owner device 200 andthe management object system 300 can also be realized by the similarhardware configuration. However, a network interface which can directlybe connected to the network 10 may be provided for the owner device 200instead of the wireless communication interface.

An encryption data management function will be described below.

FIG. 4 is a block diagram illustrating the encryption data managementfunction. The owner IC card 20 includes an owner card identifier 21, asecret key 22, and a data processing unit 23. The owner card identifier21 is identification information which is used to uniquely identify theowner IC card 20. The owner card identifier 21 is stored in a ROM (ReadOnly Memory) of the owner IC card 20. The secret key 22 is key datawhich is used to decrypt the encryption data stored in an encryptiondata storage unit 320 of a management object system 300. The secret key22 is stored in a highly tamper-resistant memory of the owner IC card20.

The data processing unit 23 encrypts and decrypts the data using thesecret key 22. For example, an encryption/decryption circuit provided inthe owner IC card 20 may act as the data processing unit 23.

The agent IC card 30 has a memory, and agent authentication information31 and an agent card identifier 32 are stored in the memory. The agentauthentication information 31 is authentication information which isused to authenticate the agent. In the embodiment, a set of a user nameand a password of the agent is used as the authentication information.The owner having the owner IC card 20 sets the agent authenticationinformation 31 in the agent IC card 30. The agent card identifier 32 isidentification information which is used to uniquely identify the agentIC card 30.

The agent device 100 includes an encryption communication unit 110, aconnection request unit 120, and a processing request relay unit 130.The encryption communication unit 110 conducts the data communicationwith the owner device 200 in an encryption manner.

The connection request unit 120 makes a connection request to the ownerdevice 200 in response to the operation input from the agent. Whenaccepting the operation input for instructing the connection, theconnection request unit 120 reads the agent authentication information31 and the agent card identifier 32 from the agent IC card 30. Then theconnection request unit 120 transmits the connection request includingthe agent authentication information 31 and the agent card identifier 32to the owner device 200 through the encryption communication unit 110.

Alternatively, the connection request unit 120 does not read the agentauthentication information 31 from the agent IC card 30, but obtains theagent authentication information 31 from the operation input performedby the agent.

The processing request relay unit 130 transfers the encryption dataprocessing request made by the management object system 300 to the ownerdevice 200. The processing request relay unit 130 obtains the agent cardidentifier 32 from the agent IC card 30 when receiving the processingrequest including the encryption data stored in the encryption datastorage unit 320 from the management object system 300. The processingrequest relay unit 130 transmits the processing request, to which theagent card identifier 32 is imparted, to the owner device 200 throughthe encryption communication unit 110.

The owner device 200 includes an encryption communication unit 210, acommission condition storage unit 220, an authentication unit 230, and aprocessing request permission determination unit 240. The encryptioncommunication unit 210 conducts the data communication with the agentdevice 100 in an encryption manner.

The commission condition storage unit 220 is a storage function ofstoring authentication information on an agent having the agent IC card30 and a commission condition imparted to the agent. For example, a partof an HDD storage area included in the device main body 201 of the ownerdevice 200 is used as the commission condition storage unit 220.

The authentication unit 230 authenticates the agent based on theconnection request transmitted from the agent device 100. Theauthentication unit 230 extracts the agent card identifier 32 and theagent authentication information 31 from the connection request. Then,the authentication unit 230 searches for the authentication informationcorresponding to a set of the agent card identifier 32 and the ownercard identifier 21 of the owner IC card 20 from the commission conditionstorage unit 220. The authentication unit 230 checks the applicableauthentication information with the agent authentication information 31included in the connection request. When the applicable authenticationinformation matches the agent authentication information 31, theauthentication unit 230 determines that the agent is authorized, andnotifies the agent device 100 of the authentication result. In the caseof the successful authentication, the authentication unit 230 notifiesthe processing request permission determination unit 240 of theauthenticated set of the agent card identifier 32 and the owner cardidentifier 21.

The processing request permission determination unit 240 determineswhether or not the processing request is permitted based on theprocessing request transmitted from the agent device 100. When receivingthe processing request from the agent device 100, the processing requestpermission determination unit 240 determines whether or not theprocessing request is transmitted from the successfully authenticatedagent based on the agent card identifier 32 imparted to the processingrequest. Then, the processing request permission determination unit 240obtains the commission condition corresponding to the set of the agentcard identifier 32 and the owner card identifier 21 of the owner IC card20 from the commission condition storage unit 220. The processingrequest permission determination unit 240 determines whether or not theprocessing request falls within the range of the commission condition ofthe agent. When the processing request falls within the range of thecommission condition of the successfully authenticated agent, theprocessing request permission determination unit 240 transmits theprocessing request to the owner IC card 20. Upon receiving theprocessing result from the owner IC card 20, the processing requestpermission determination unit 240 transmits the processing result to theagent device 100 through the encryption communication unit 210.

The management object system 300 includes a security management unit 310and the encryption data storage unit 320. The security management unit310 manages security of the data in the management object system 300.Only the access to the encryption data through the security managementunit 310 is permitted when the process of executing various programs inthe management object system 300 accesses the encryption data. That is,when the agent requires the decryption of the encryption data in thesystem maintenance and management work, the security management unit 310performs the processing corresponding to a decryption request in whichthe encryption data is specified.

The security management unit 310 includes an IC card processing requestunit 311 which is one of the security management functions. The IC cardprocessing request unit 311 makes a request to perform the encryptiondata processing to the owner IC card 20 when the access to theencryption data is obtained. When receiving the request to decrypt theencryption data, the IC card processing request unit 311 obtains theencryption data specified by the encryption data storage unit 320. TheIC card processing request unit 311 transmits the processing requestindicating the processing for decrypting the obtained encryption data tothe agent device 100. The management object system 300 and the agentdevice 100 are connected to the IC card reader/writer 302 of themanagement object system 300 by the card-type probe 102 of the agentdevice 100, which is inserted in the IC card reader/writer 302.Accordingly, the IC card processing request unit 311 recognizes that theagent IC card 30 is inserted in the IC card reader/writer 302.

The encryption data is stored in the encryption data storage unit 320.The encryption data is encrypted by the public key which issimultaneously produced along with the secret key 22 of the owner ICcard 20. The encryption data which is encrypted by the public key can bedecrypted only by the secret key 22.

Contents of the commission condition storage unit 220 will be describedbelow.

FIG. 5 illustrates an example of a data structure of the commissioncondition storage unit 220. Fields such as an agent card identifier,agent authentication information, an owner card identifier, a permissiondate and time, and the number of permission times are provided in thecommission condition storage unit 220.

The identification information (agent card identifier) on the agent ICcard 30 delivered to the agent is set in the agent card identifierfield. The agent authentication information is set in the agentauthentication information field. Referring to FIG. 5, a user name and apassword of the owner are set as the authentication information. Theidentification information of the owner IC card 20 (owner cardidentifier) possessed by the owner is set in the owner card identifierfield. The date and time in which the proxy is permitted to the agent(permission date and time) are set in the permission date and timefield. A period can also be set in the permission date and time filed byusing a starting date and time and an ending date and time. The numberof times the data processing is permitted with the owner IC card 20(number of permission times) is set in the field of the number ofpermission times.

Thus, in the commission condition storage unit 220, the authenticationinformation and the commission conditions (permission date and time andthe number of permission times) of the agent are set in correlation tothe settings of the owner IC card 20 and the agent IC card. Accordingly,the agent authentication and the determination of whether or not theprocessing request from the agent is permitted can be made by referringto the commission condition storage unit 220.

In the system having the above-described configuration, the owner canperform the data processing including the decryption of the encryptiondata in the remote management object system 300 while keeping the ownerIC card 20 at hand. The data processing including the decryption of theencryption data will be described below.

FIG. 6 is a sequence diagram illustrating a processing procedure whendata processing is normally performed. FIG. 6 illustrates processingperformed by the management object system 300, agent device 100, ownerdevice 200, and owner IC card 20. The processing shown in FIG. 6 will bedescribed.

(Step S11) The agent device 100 transmits the connection request to theowner device 200 in response to the operation input from the agent. Theconnection request unit 120 of the agent device 100 accepts theoperation input for instructing the connection with the owner device200. Then the connection request unit 120 obtains the agentauthentication information 31 and the agent card identifier 32 from theagent IC card 30. The connection request unit 120 produces theconnection request including the agent authentication information 31 andthe agent card identifier 32. The produced connection request isencrypted by the encryption communication unit 110 and transmitted tothe owner device 200 by the wireless communication.

(Step S12) The owner device 200 performs the user authentication of theagent in response to the connection request. The encryptioncommunication unit 210 of the owner device 200 receives the connectionrequest transmitted from the agent device 100. The encryptioncommunication unit 210 decrypts the received connection request todeliver the connection request to the authentication unit 230. Theauthentication unit 230 obtains the owner card identifier 21 from theowner IC card 20. Then, the authentication unit 230 retrieves for theauthentication information corresponding to the set of the obtainedowner card identifier 21 and the agent card identifier 32 included inthe connection request from the commission condition storage unit 220.The authentication unit 230 checks the retrieved authenticationinformation with the agent authentication information 31 included in theconnection request. When the user name and the password match eachother, the authentication unit 230 determines that the agent isauthorized.

(Step S13) When the authentication is successful, the authenticationunit 230 transmits authentication notification indicating that the agentis correctly authenticated to the agent device 100. The authenticationunit 230 delivers the authentication notification to the encryptioncommunication unit 210. The encryption communication unit 210 encryptsthe authentication notification and transmits the authenticationnotification to the agent device 100. In the agent device 100, theencryption communication unit 110 receives the encrypted authenticationnotification. The encryption communication unit 110 decrypts theauthentication notification and delivers the authentication notificationto the connection request unit 120. When receiving the authenticationnotification, the connection request unit 120 displays the successfulauthentication on the monitor 101 e of the agent device 100.

The authentication unit 230 of the owner device 200 delivers thecorrectly-authenticated set of the agent card identifier 32 and theowner card identifier 21 to the processing request permissiondetermination unit 240.

(Step S14) The agent performs the operation input to the managementobject system 300 to perform the maintenance and management work. Thesecurity management unit 310 of the management object system 300 obtainsthe access object encryption data from the encryption data storage unit320 when detecting the access to the encryption data 320 during themaintenance and management work. The IC card processing request unit 311of the security management unit 310 transmits the data processingrequest including the encryption data to the agent device 100.

(Step S15) The agent device 100 transfers the data processing request tothe owner device 200. The processing request relay unit 130 of the agentdevice 100 receives the data processing request transmitted from themanagement object system 300. When receiving the data processing requestincluding the encryption data from the management object system 300, theprocessing request relay unit 130 obtains the agent card identifier 32from the agent IC card 30 and imparts the agent card identifier 32 tothe data processing request. The processing request relay unit 130delivers the data processing request to the encryption communicationunit 110. The encryption communication unit 110 encrypts the dataprocessing request and transmits the data processing request to theowner device 200.

(Step S16) The owner device 200 makes the permission determination. Theencryption communication unit 210 of the owner device 200 receives thedata processing request transmitted from the agent device 100. Theencryption communication unit 210 decrypts the encrypted data processingrequest and delivers the data processing request to the processingrequest permission determination unit 240. The processing requestpermission determination unit 240 refers to the commission conditionstorage unit 220 to determine whether or not the data processing requestis permitted. The processing for determining whether or not the dataprocessing request is permitted will be described in detail later (seeFIG. 9). In the example of FIG. 6, it is assumed that the dataprocessing request is permitted.

(Step S17) The agent device 100 transmits the data processing request tothe owner IC card 20. When the data processing request is permitted, theprocessing request permission determination unit 240 of the owner device200 deletes the agent card identifier 32 from the data processingrequest. The processing request permission determination unit 240transmits the data processing request, from which the agent cardidentifier 32 is removed, to the owner IC card 20.

(Step S18) The owner IC card 20 performs the data processing in responseto the data processing request. In the owner IC card 20, the dataprocessing unit 23 receives the data processing request. The dataprocessing unit 23 decrypts the encryption data included in the dataprocessing request using the secret key 22.

(Step S19) The data processing unit 23 transmits the decrypted plaintextdata which is the processing result to the owner device 200.

(Step S20) The owner device 200 transmits the processing result receivedfrom the owner IC card 20 to the agent device 100. The processingrequest permission determination unit 240 of the owner device 200delivers the processing result received from the owner IC card 20 to theencryption communication unit 210. The encryption communication unit 210encrypts the processing result received from the processing requestpermission determination unit 240 and transmits the processing result tothe agent device 100.

(Step S21) When receiving the processing result from the owner device200, the agent device 100 transfers the processing result to themanagement object system 300. In the agent device 100, the encryptioncommunication unit 110 receives the processing result. The encryptioncommunication unit 110 decrypts the received processing result anddelivers the processing result to the processing request relay unit 130.The processing request relay unit 130 transmits the processing result tothe management object system 300 in response to the data processingrequest made by the management object system 300. In the managementobject system 300, the data processing associated with the maintenanceand management is performed based on the processing result.

Thus, the encryption data is decrypted using the secret key 22 stored inthe owner IC card 20.

The processing in the case where the agent authentication results in anerror will be described below.

FIG. 7 is a sequence diagram illustrating a processing procedure whenthe agent authentication results in an error. The processing shown inFIG. 7 will be described with step numbers.

(Step S31) The agent device 100 transmits the connection request to theowner device 200 in response to the operation input from the agent. Thedetailed processing is similar to that in Step S11 of FIG. 6.

(Step S32) The owner device 200 performs the user authentication inresponse to the connection request. The detailed processing is similarto that in Step S12 of FIG. 6. In the example of FIG. 7, it is assumedthat the authentication information obtained from the commissioncondition storage unit 220 does not match the agent authenticationinformation 31 included in the connection request.

(Step S33) The authentication unit 230 of the owner device 200 notifiesthe agent device 100 of an authentication error. The authentication unit230 delivers a message (authentication error message) indicating theauthentication error to the encryption communication unit 210. Theencryption communication unit 210 encrypts the authentication errormessage and transmits the authentication error message to the agentdevice 100. In the agent device 100, the encryption communication unit110 receives the authentication error message. The encryptioncommunication unit 110 decrypts the authentication error message anddelivers the authentication error message to the connection request unit120. The connection request unit 120 displays the failed authenticationon the monitor 101 e.

(Step S34) The agent may perform the work in which the management objectsystem 300 is used in the case of the maintenance and management worknot using the encryption data. However, when the agent provides aninstruction in which the encryption data is utilized to the managementobject system 300, the security management unit 310 of the managementobject system 300 detects the access to the encryption data 320 duringthe maintenance and management work. The security management unit 310obtains the access object encryption data from the encryption datastorage unit 320. The IC card processing request unit 311 of thesecurity management unit 310 transmits the data processing requestincluding the encryption data to the agent device 100.

(Step S35) The agent device 100 transfers the data processing request tothe owner device 200. The detailed processing is similar to that in StepS15 of FIG. 6.

(Step S36) The owner device 200 makes the permission determination. Thedetailed processing is similar to that in Step S16 of FIG. 6. In theexample of FIG. 7, it is assumed that authentication unit 230 fails inthe agent authentication. Therefore, the authentication unit 230 doesnot notify the processing request permission determination unit 240 ofthe agent card identifier 32 of the agent IC card 30. The processingrequest permission determination unit 240 recognizes that theunauthorized agent makes the data processing request because theauthentication unit 230 does not notify the processing requestpermission determination unit 240 of the agent card identifier 32imparted to the data processing request. Accordingly, the processingrequest permission determination unit 240 makes a determination that thedata processing request is rejected.

(Step S37) The owner device 200 transmits the invalid result to theagent device 100. The processing request permission determination unit240 of the owner device 200 delivers information (invalid information)indicating that the data processing request is invalid to the encryptioncommunication unit 210. The encryption communication unit 210 encryptsthe processing result received from the processing request permissiondetermination unit 240 and transmits the processing result to the agentdevice 100.

(Step S38) When receiving the invalid result from the owner device 200,the agent device 100 transfers the invalid result to the managementobject system 300. In the agent device 100, the encryption communicationunit 110 receives the invalid result. The encryption communication unit110 decrypts the invalid result and delivers the invalid result to theprocessing request relay unit 130. The processing request relay unit 130transmits the invalid result to the management object system 300 inresponse to the data processing request made by the management objectsystem 300. In the management object system 300, the processing with theencryption data is error-ended due to the response of the invalidresult.

Thus, the owner device 200 rejects the data processing request made bythe unauthorized agent.

While the agent performs the maintenance and management work of themanagement object system 300, it is necessary for the owner to insertthe owner IC card 20 into the IC card reader/writer 202 of the ownerdevice 200. Even if the owner IC card 20 is inserted in the IC cardreader/writer 202 when the agent starts the work, the subsequentprocesses with the encryption data are not performed when the ownerremoves the owner IC card 20 from the IC card reader/writer 202. Thatis, when learning that the agent performs unscheduled work, the ownercan remove the owner IC card 20 from the IC card reader/writer 202 toprotect the important data.

FIG. 8 is a sequence diagram illustrating a processing procedure whenthe owner IC card is removed. The processes illustrated in FIG. 8 willbe described below with numbers.

(Step S41) The agent device 100 transmits the connection request to theowner device 200 in response to the operation input from the agent. Thedetailed processing is similar to that in Step S11 of FIG. 6.

(Step S42) The owner device 200 performs the user authentication of theagent in response to the connection request. The detailed processing issimilar to that in Step S12 of FIG. 6. In the example of FIG. 8, it isassumed that the owner IC card 20 is inserted in the IC cardreader/writer 202 and the agent is correctly authenticated at thisstage.

(Step S43) In the case of the correct authentication, the authenticationunit 230 transmits the authentication notification indicating thecorrect authentication to the agent device 100. The detailed processingis similar to that in Step S13 of FIG. 6.

(Step S44) The agent performs the operation input to the managementobject system 300 to perform the maintenance and management work. It isassumed that the owner removes the owner IC card 20 from the IC cardreader/writer 202 during the maintenance and management work. Then, whenthe security management unit 310 of the management object system 300detects the access to the encryption data 320 during the maintenance andmanagement work, the security management unit 310 obtains the accessobject encryption data from the encryption data storage unit 320. The ICcard processing request unit 311 of the security management unit 310transmits the data processing request including the encryption data tothe agent device 100.

(Step S45) The agent device 100 transfers the data processing request tothe owner device 200. The detailed processing is similar to that in StepS15 of FIG. 6.

(Step S46) The owner device 200 makes the permission determination. Thedetailed processing is similar to that in Step S16 of FIG. 6. In theexample of FIG. 8, it is assumed that the data processing request ispermitted.

(Step S47) The agent device 100 transmits the data processing request tothe owner IC card 20. The detailed processing is similar to that in StepS17 of FIG. 6. In the example of FIG. 8, it is assumed that the dataprocessing request is permitted. At this point, the owner IC card 20 isalready removed from the IC card reader/writer 202. Therefore, there isno response of the processing result from the owner IC card 20.

(Step S48) The agent device 100 detects a timeout. The processingrequest permission determination unit 240 of the agent device 100 startstime measurement since the data processing request is transmitted to theowner IC card 20. A waiting time for a response to the data processingrequest is previously defined in the processing request permissiondetermination unit 240. When an elapsed time after the data processingrequest is transmitted exceeds the waiting time, the processing requestpermission determination unit 240 determines that the timeout isdetected.

(Step S49) The processing request permission determination unit 240transmits the invalid result to the agent device 100. The detailedprocessing is similar to that in Step S37 of FIG. 7.

(Step S50) When receiving the invalid result from the owner device 200,the agent device 100 transfers the invalid result to the managementobject system 300. The detailed processing is similar to that in StepS38 of FIG. 7.

Thus, the subsequent pieces of processing with the encryption data areprohibited in the case where the owner removes the owner IC card 20.That is, even if the owner is remotely located from the managementobject system 300, the owner can instantaneously cancel the proxy whenthe need for canceling the proxy of the agent arises.

Then the processing performed by the processing request permissiondetermination unit 240 will be described in detail.

FIG. 9 is a flowchart illustrating a procedure of processing requestpermission determination processing. The processing illustrated in FIG.9 will be described below.

(Step S61) The processing request permission determination unit 240obtains the data processing request transmitted from the agent device100 via the encryption communication unit 210.

(Step S62) The processing request permission determination unit 240determines whether or not the agent is already authenticated. Theprocessing request permission determination unit 240 retains the set ofthe agent card identifier and owner card identifier of which theauthentication unit 230 notifies the processing request permissiondetermination unit 240 as already-authenticated card information. Whenreceiving the data processing request, the processing request permissiondetermination unit 240 obtains the agent card identifier 32 imparted tothe data processing request while obtaining the owner card identifier 21from the owner IC card 20. The processing request permissiondetermination unit 240 determines whether or not the set of the agentcard identifier 32 and the owner card identifier 21 matches one of thepieces of already-authenticated card information previously deliveredfrom the authentication unit 230. When the set of the agent cardidentifier 32 and the owner card identifier 21 matches one of the piecesof already-authenticated card information, the processing requestpermission determination unit 240 determines that the agent is alreadyauthenticated. When the agent is already authenticated, the flow goes toStep S63. When the agent is not authenticated, the flow goes to StepS68.

(Step S63) The processing request permission determination unit 240determines whether or not the current date and time fall within thepermission date and time. The processing request permissiondetermination unit 240 obtains the owner card identifier 21 from theowner IC card 20. The processing request permission determination unit240 extracts the commission conditions (the permission date and time andthe number of permission times) corresponding to the set of the agentcard identifier 32 of the data processing request and the owner cardidentifier 21 from the commission condition storage unit 220. Theprocessing request permission determination unit 240 determines whetheror not the permission date and time of the extracted commissioncondition includes the current date and time. When the permission dateand time includes the current date and time, the flow goes to Step S64.When the permission date and time does not include the current date andtime, the flow goes to Step S68.

(Step S64) The processing request permission determination unit 240determines whether or not the number of data processing times fallswithin the number of permission times. The processing request permissiondetermination unit 240 stores the number of data processing times whilecorrelating the number of data processing times with the set of theagent card identifier 32 and owner card identifier 21(already-authenticated card information) received from theauthentication unit 230. The number of data processing times isinitialized to zero when the already-authenticated card information isdelivered from the authentication unit 230. The processing requestpermission determination unit 240 determines whether or not the numberof permission times of the commission condition extracted in Step S63 islarger than the number of data processing times. That is, the processingrequest permission determination unit 240 confirms that the number ofdata processing times does not exceed the number of permission timeseven if the data processing is permitted in response to the current dataprocessing request. When the number of permission times is larger thanthe number of data processing times, the processing request permissiondetermination unit 240 determines that the number of data processingtimes falls within the number of permission times. When the number ofdata processing times falls within the number of permission times, theflow goes to Step S65. When the number of data processing times does notfall within the number of permission times, the flow goes to Step S68.

(Step S65) The processing request permission determination unit 240transfers the data processing request to the owner IC card 20. At thispoint, the processing request permission determination unit 240 removesthe agent card identifier added to the data processing request from thetransferred data processing request.

(Step S66) The processing request permission determination unit 240determines whether or not the owner IC card 20 sends back the processingresult. When the owner IC card 20 sends back the processing result, theflow goes to Step S69. When the owner IC card 20 does not send back theprocessing result, the flow goes to Step S67.

(Step S67) The processing request permission determination unit 240makes the timeout determination. The processing request permissiondetermination unit 240 makes the timeout determination when the elapsedtime after the data processing request is transferred exceeds a specificwaiting time. When the processing request permission determination unit240 makes the timeout determination, the flow goes to Step S68. When theprocessing request permission determination unit 240 does not make thetimeout determination, the flow goes to Step S66, and the processingrequest permission determination unit 240 waits for the processingresult of the owner IC card 20.

(Step S68) In the case of the authentication error, in the case wherethe current date and time is not within the permission date and time, inthe case where the number of data processing times exceeds the number ofpermission times when the current data processing request is permitted,and/or in the case of the generation of the timeout, the processingrequest permission determination unit 240 sends back the invalid resultto the agent device 100. Then the processing is ended.

(Step S69) When receiving the processing result from the owner IC card20, the processing request permission determination unit 240 incrementsthe number of data processing times.

(Step S70) The processing request permission determination unit 240sends back the processing result to the agent device 100. Thus, theprocessing performed by the agent using the encryption data can bepermitted only within the range of the commission conditions set by theowner.

In the first embodiment, it is assumed that the processing is performedby the public key system in which the encryption data is encrypted withthe public key. Alternatively, the secret key in the owner IC card canbe used in both the encryption and the decryption. In the case where theplaintext data is encrypted with the secret key 22, the data processingrequest transmitted from the management object system 300 includes theplaintext data which is desirably encrypted instead of the encryptiondata. In the owner IC card 20, the encryption is performed with thesecret key 22, and the encryption data is transmitted as the processingresult.

Second Embodiment

In the first embodiment, the management object system 300 and the agentdevice 100 are connected to each other by inserting the card-type probe102 in the IC card reader/writer 302. However, the connection can alsobe established by another method.

FIG. 10 illustrates an example of connection in which a USB interface isused. In FIG. 10, components similar to the components in FIG. 2 aredesignated by the same numerals, and the descriptions thereof areomitted.

A management object system 410 includes a device main body 411. A USBcontroller which conducts the data communication according to the USBinterface standard is incorporated in the device main body 411. An agentdevice 420 includes a device main body 421 and an IC card reader/writer422. The agent IC card 30 may be inserted in the IC card reader/writer422. The IC card reader/writer 422 performs read/write to the memory inthe agent IC card 30. A USB controller is incorporated in the devicemain body 421. The device main body 411 of the management object system410 and the device main body 421 of the agent device 420 are connectedby a USB cable 51.

The function of the management object system 410 is similar to that ofthe management object system 300 shown in FIG. 4. The function of theagent device 420 is similar to that of the agent device 100 shown inFIG. 4.

The connection mode of the second embodiment enables the agent device420 having no card-type probe to be connected to the management objectsystem 410. The management object system 410 transmits the request toperform the processing of the encryption data to the agent device 420connected by the USB cable 51. Therefore, the request to perform theprocessing of the encryption data can be transmitted to the owner device200 through the agent device 420.

Third Embodiment

In a third embodiment, the agent IC card is incorporated as a virtualdevice in the device main body of the agent device.

FIG. 11 illustrates an example in which the agent IC card function isincorporated in the device main body. In FIG. 11, components similar toof the components of FIG. 2 are designated by the same numerals, and thedescriptions thereof are omitted.

In the example of FIG. 11, an agent device 430 includes a device mainbody 431 and a card-type probe 402. A virtual agent IC card 432 isincorporated in the device main body 431. In the virtual agent IC card432, the function of the agent IC card 30 shown in FIG. 4 is realizedvia software in the device main body 431. The agent device 430 includesthe function of the management object system 300 shown in FIG. 4.

Therefore, the authentication information on the agent and the like canbe managed without using the agent IC card.

Fourth Embodiment

In fourth embodiment, a plurality of owner IC cards can be usedconcurrently.

FIG. 12 illustrates an example of an owner device in which the pluralityof owner IC cards can be used concurrently. In FIG. 12, componentssimilar to those of FIG. 2 are designated by the same numerals, and thedescriptions thereof are omitted.

An owner device 440 includes a device main body 441 and a plurality ofIC card readers/writers 442 to 444. Owner IC cards 20 a, 20 b, and 20 care inserted in the IC card readers/writers 442, 443, and 444,respectively. The owner IC cards 20 a, 20 b, and 20 c each have adifferent secret key. The owner device 440 includes the function of theowner device 200 shown in FIG. 4.

In the case of the use of the owner device 440, the data in themanagement object system 300 is encrypted with the different publickeys, and the data processing can be performed with the encryption dataonly when the owner IC card having the encryption key corresponding toeach public key is connected.

Fifth Embodiment

In a fifth embodiment, a plurality of owner IC cards are incorporated asa virtual device in the device main body of the owner device.

FIG. 13 illustrates an example in which a plurality of owner IC cardfunctions are incorporated in the device main body. In FIG. 13, thecomponents similar to those of FIG. 2 are designated by the samenumerals, and the descriptions thereof are omitted.

An owner device 500 includes an encryption communication unit 510, acommission condition storage unit 520, an authentication unit 530, aprocessing request permission determination unit 540, a data processingunit 550, and a plurality of virtual owner IC cards 560, 570, and 580.Each of the encryption communication unit 510, the commission conditionstorage unit 520, the authentication unit 530, and the processingrequest permission determination unit 540 has the same function as thatof the components of the owner device 200 shown in FIG. 4. However, theprocessing request permission determination unit 540 transfers the dataprocessing request to the data processing unit 550.

The data processing unit 550 performs the data processing with each ofthe secret keys 562, 572, and 582 in the virtual owner IC cards 560,570, and 580 in response to the data processing request transferred fromthe processing request permission determination unit 540. Examples ofthe data processing include the data encryption and the data decryption.

In the virtual owner IC cards 560, 570, and 580, the function of theowner IC card 20 shown in FIG. 4 is realized via software in the ownerdevice 500. The virtual owner IC cards 560, 570, and 580 include ownercard identifiers 561, 571, and 581 and secret keys 562, 572, and 582,respectively.

Thus, the use of the plurality of virtual owner IC cards 560, 570, and580 eliminates the connection of the plural IC card readers/writers tothe owner device even if the plurality of owner IC cards are usedconcurrently.

Sixth Embodiment

In a sixth embodiment, the agent authentication is performed using thepublic key system encryption technique. The hardware configuration ofthe whole system of the sixth embodiment is similar to that of the firstembodiment shown in FIG. 2.

FIG. 14 is a functional block diagram illustrating a system in which theagent authentication is performed by the public key system. In FIG. 14,the components similar to those of FIG. 4 are designated by the samenumerals, and the descriptions thereof are omitted.

Referring to FIG. 14, an agent IC card 60 includes an agent cardidentifier 61, a secret key 62, and a data processing unit 63. The agentcard identifier 61 is identification information which is used touniquely identify the agent IC card 60. The secret key 62 is keyinformation which is used to decrypt the data encrypted with the publickey for the agent IC card 60. The data processing unit 63 is aprocessing function of performing processing for decrypting theencryption data with the secret key 62.

An agent device 600 includes an encryption communication unit 610, aconnection request unit 620, and a processing request relay unit 630.The encryption communication unit 610 has the same function as theencryption communication unit 110 shown in FIG. 4. The processingrequest relay unit 630 has the same function as the processing requestrelay unit 130 shown in FIG. 4.

When receiving the operation input for the instruction to connect theagent device 600 to an owner device 700, the connection request unit 620transmits the connection request to the owner device 700 through theencryption communication unit 610. The owner device 700 sends backencryption data (an encrypted random number sequence) in which a randomnumber is encrypted with the public key. When receiving the encryptedrandom number sequence, the connection request unit 620 transmits theencrypted random number sequence to the data processing unit 63 of theagent IC card 60. The data processing unit 63 sends back a random numbersequence which is obtained by decrypting the encrypted random numberwith the secret key 62. When receiving the random number, the connectionrequest unit 620 transmits the random number sequence as theauthentication information to the owner device 700 through theencryption communication unit 610.

The owner device 700 includes an encryption communication unit 710, acommission condition storage unit 720, an authentication unit 730, and aprocessing request permission determination unit 740. The encryptioncommunication unit 710 has the same function as the encryptioncommunication unit 210 shown in FIG. 4. The processing requestpermission determination unit 740 has the same function as theprocessing request permission determination unit 240 shown in FIG. 4.

The public key and commission condition corresponding to the secret key62 stored in the agent IC card 60 are stored in the commission conditionstorage unit 720. The public key and the secret key 62 are produced atthe same time, and the data encrypted with the public key is decryptedonly with the secret key 62.

The authentication unit 730 performs the agent authentication processingin response to the connection request from the agent device 600. Whenreceiving the connection request from the agent device 600, theauthentication unit 730 generates the random number sequence and storesthe random number sequence in the memory. Then the authentication unit730 obtains the public key corresponding to the agent IC card 60 fromthe commission condition storage unit 720, and encrypts the randomnumber sequence with the obtained public key. At this point, the randomnumber sequence before the encryption is directly stored in the memory.The authentication unit 730 transmits the encrypted random numbersequence to the agent device 600. When the agent device 600 transmitsthe random number sequence that is the authentication information, theauthentication unit 730 checks the received random number sequence withthe random number sequence stored in the memory. When the receivedrandom number sequence matches the random number sequence stored in thememory, the authentication unit 730 determines that the authenticationis successfully performed.

FIG. 15 illustrates an example of a data structure of the commissioncondition storage unit. The fields such as the agent card identifier,agent authentication information, the owner card identifier, thepermission date and time, and the number of permission times areprovided in the commission condition storage unit 720. The pieces ofinformation stored in the fields, except for the agent authenticationinformation, are identical to those of the commission condition storageunit 220 shown in FIG. 5. The public key is set as the agentauthentication information in the agent authentication informationfield.

FIG. 16 is a sequence diagram illustrating an authentication procedurein which the public key is used. FIG. 16 illustrates the processingperformed by the agent IC card 60, the agent device 600, and the ownerdevice 700. The pieces of processing shown in FIG. 16 will be describedbelow along the Step number.

(Step S81) The agent device 600 transmits the connection request to theowner device 200 in response to the operation input from the agent. Theconnection request unit 620 of the agent device 600 accepts theoperation input for instructing the connection to the owner device 700.Then the connection request unit 620 obtains the agent card identifier61 from the agent IC card 60. The connection request unit 620 producesthe connection request including the agent card identifier 61. Theproduced connection request is encrypted by the encryption communicationunit 610 and transmitted to the owner device 700 through the wirelesscommunication.

(Step S82) The owner device 700 produces and encrypts the random numbersequence. When receiving the connection request, the authentication unit730 of the owner device 700 produces the random number sequence. Theauthentication unit 730 stores the produced random number sequence inthe memory such as RAM while correlating the random number sequence withthe agent card identifier 61 included in the connection request. Thenthe authentication unit 730 retrieves the public key corresponding tothe agent card identifier 61 included in the connection request from thecommission condition storage unit 720. The authentication unit 730produces a duplicate of the random number sequence stored in the memory,and encrypts the duplicated random number sequence using the retrievedpublic key.

(Step S83) The authentication unit 730 of the owner device 700 transmitsthe encrypted random number sequence (encrypted random number sequence)to the agent device.

(Step S84) The connection request unit 620 of the agent device 600transfers the encrypted random number sequence, transmitted from theowner device 700, to the agent IC card 60.

(Step S85) The agent IC card 60 decrypts the random number sequence. Thedata processing unit 63 of the agent IC card 60 decrypts the receivedencrypted random number sequence with the secret key 62.

(Step S86) The data processing unit 63 of the agent IC card 60 impartsthe agent card identifier 61 to the decrypted random number sequence andtransmits the random number sequence to the agent device 600.

(Step S87) The connection request unit 620 of the agent device 600transfers the random number sequence, transmitted from the agent IC card60, to the owner device 700.

(Step S88) The owner device 700 verifies the random number sequencetransmitted from the agent device 600. Based on the agent cardidentifier imparted to the random number sequence transmitted from theagent device 600, the authentication unit 730 of the owner device 700reads the random number sequence corresponding to the agent cardidentifier from the memory. The authentication unit 730 checks therandom number sequence read from the memory with the random numbersequence transmitted from the agent device 600. When the random numbersequence read from the memory matches the random number sequencetransmitted from the agent device 600, the authentication unit 730correctly authenticates the agent IC card 60.

(Step S89) In the case of the correct authentication, the authenticationunit 730 of the owner device 700 transmits the authenticationnotification indicating the correct authentication to the agent device600.

Thus, the use of the unauthorized agent IC card 60 (for example,unauthorized use by forgery of agent card identifier) can be prevented.In the sixth embodiment, the configuration can be changed as shown inthe second to fifth embodiments.

The processing function of each of the above-described embodiments canbe realized by the computer. In such cases, there is provided theprogram in which processing contents of the functions to be possessed bythe device main bodies of the agent device, owner device, and managementobject system are described. The program is executed by the computer,thereby realizing processing functions on the computer. The program inwhich processing contents are described can be recorded in acomputer-readable recording medium. Examples of the computer-readablerecording medium include a magnetic recording device, an optical disk, amagneto-optical recording medium, and a semiconductor memory. Examplesof the magnetic recording device include a Hard Disk Drive (HDD), aFlexible Disk (FD) and a magnetic tape. Examples of the optical diskinclude DVD (Digital Versatile Disc), DVD-RAM, CD-ROM (Compact Disc ReadOnly Memory), and CD-R (Recordable)/RW (Re Writable). An example of themagneto-optical recording medium includes MO (Magneto-Optical disc).

For example, a portable recording medium such as DVD and CD-ROM in whichthe program is recorded may be sold when the program is circulated.Alternatively, the program may be stored in the storage device of theserver computer and the program can be transferred from the servercomputer to other computers through the network.

The computer which executes the program stores the program recorded inthe portable recording medium or the program transferred from the servercomputer in the storage device thereof. Then, the computer reads theprogram from the storage device to perform the processing according tothe program. Alternatively, the computer may directly read the programfrom the portable recording medium to perform the processing accordingto the program. Alternatively, the computer may perform the processingaccording to the received program every time the program is transferredfrom the server computer.

The invention is not limited to the above-described embodiments, butvarious modifications can be made without departing from the scope ofthe invention.

1. An encryption data management system which includes an agent-sideapparatus and an owner-side apparatus to manage encryption data storedin an encryption data storage unit of a management object apparatus,wherein the agent-side apparatus includes: a transmission unit whichresponds to an operation input from an agent and transmitsauthentication information indicating proxy of the agent to theowner-side apparatus; and a transfer unit which transfers a dataprocessing request including the encryption data to the owner-sideapparatus when the management object apparatus supplies the dataprocessing request, and transfers a processing result to the managementobject apparatus, the processing result corresponding to the dataprocessing request sent back from the owner-side apparatus, wherein theowner-side apparatus includes: a commission condition storage unit inwhich a commission condition of the agent who uses the agent-sideapparatus is previously stored; an agent authentication unit whichauthenticates authentication information when the authenticationinformation of the agent is received from the agent-side apparatus; aperforming unit which performs data processing associated withdecryption of the encryption data included in the permitted dataprocessing request using a previously registered key, when the agentauthentication unit normally performs the authentication, and when thedata processing request falls within a range of the agent commissioncondition indicated by the commission condition storage unit, uponreceiving the data processing request from the agent-side apparatus; anda result transmission unit which transmits a processing result of theperforming unit to the agent-side apparatus.
 2. The encryption datamanagement system according to claim 1, wherein the encryption datastored in the encryption data storage unit of the management objectapparatus is encrypted using a public key, the owner-side apparatus hasa secret key corresponding to the public key, and the performing unitdecrypts the encryption data using the secret key.
 3. The encryptiondata management system according to claim 2, wherein the owner-sideapparatus includes: an IC card reader/writer which may be connected toan owner IC card, the owner IC card including the secret key and dataprocessing unit which performs decryption processing of the encryptiondata with the secret key; and an owner device apparatus, the ownerdevice apparatus including: the commission condition storage unit; theagent authentication unit which checks the authentication informationwith the verification authentication information in the commissioncondition storage unit to authenticate proxy of an agent who operatesthe agent-side apparatus when the authentication information is receivedfrom the agent-side apparatus; processing request permissiondetermination unit which causes the data processing unit in the owner ICcard to perform data processing associated with decryption of theencryption data included in the permitted data processing request usinga previously registered key, when the agent authentication unitauthenticates the authentication information transmitted from theagent-side apparatus, and when the data processing request falls withina range of the agent commission condition, upon receiving the dataprocessing request from the agent-side apparatus; and the resulttransmission unit.
 4. The encryption data management system according toclaim 1, wherein the agent-side apparatus transmits the previouslyregistered authentication information upon transmitting theauthentication information, verification authentication information ispreviously registered in the owner-side apparatus in order toauthenticate an agent to whom proxy is imparted, and the agentauthentication unit performs authentication processing by checking theauthentication information with the verification authenticationinformation when the agent authentication unit receives theauthentication information from the agent-side apparatus.
 5. Theencryption data management system according to claim 4, wherein theagent-side apparatus includes: an IC card reader/writer which can beconnected to an agent IC card in which the authentication information isstored; and an agent device apparatus, the agent device apparatusincluding: a transmission unit which responds to an operation input fromthe agent and obtains the authentication information from the agent ICcard to transmit the authentication information to the owner-sideapparatus; and a transfer unit which transfers the data processingrequest supplied from the management object apparatus to the owner sideapparatus and transfers a processing result to the management objectapparatus, the processing result being sent back from the owner-sideapparatus in response to the data processing request.
 6. The encryptiondata management system according to claim 1, wherein the agent-sideapparatus transmits a connection request to the owner-side apparatuswhen transmitting the authentication information, the agent-sideapparatus decrypts an encrypted random number sequence sent back inresponse to the connection request to produce a decrypted random numbersequence using a previously registered secret key, and the agent-sideapparatus transmits the decrypted random number sequence asauthentication information to the owner-side apparatus, and theowner-side apparatus produces a random number sequence in response tothe connection request transmitted from the agent-side apparatus whenauthenticating the agent, the owner-side apparatus encrypts the randomnumber sequence to produce the encrypted random number sequence using apublic key which is previously registered and corresponds to theagent-side apparatus, the owner-side apparatus transmits the encryptedrandom number sequence to the agent-side apparatus, and the owner-sideapparatus performs authentication by checking the produced random numbersequence with the decrypted random number sequence which is transmittedas the authentication information from the agent-side apparatus.
 7. Theencryption data management system according to claim 6, wherein theagent-side apparatus includes: an agent IC card which includes thesecret key and data processing unit which performs decryption processingof the encrypted random number sequence with the secret key; and anagent device apparatus, the agent device apparatus including: an IC cardreader/writer which can be connected to the agent IC card; atransmission unit which transmits a connection request to the owner-sideapparatus in response to an operation input from the agent, causes theagent IC card to decrypt the encrypted random number sequence sent backin response to the connection request, and transmits the decryptedrandom number sequence produced by the decryption as the authenticationinformation to the owner-side apparatus; and a transfer unit whichtransfers the data processing request supplied from the managementobject apparatus to the owner-side apparatus and transferring processingresult to the management object apparatus, the processing result beingsent back from the owner-side apparatus in response to the dataprocessing request.
 8. The encryption data management system accordingto claim 1, wherein a date and a time when the data processing ispermitted by the proxy are defined in the commission condition.
 9. Theencryption data management system according to claim 1, wherein a limitvalue of the number of times the data processing is permitted by theproxy is defined in the commission condition.
 10. The encryption datamanagement system according to claim 1, wherein the agent-side apparatusincludes a card-type probe which can be inserted in an IC cardreader/writer connected to the management object system, and theagent-side apparatus receives the data processing request through thecard-type probe.
 11. An encryption data management method performed byan encryption data management system which includes an agent-sideapparatus and an owner-side apparatus to manage encryption data storedin encryption data storage unit of a management object apparatus,wherein the agent-side apparatus responds to an operation input from anagent to transmit authentication information indicating proxy of theagent to the owner-side apparatus; transfers a data processing requestincluding the encryption data to the owner-side apparatus when themanagement object apparatus supplies the data processing request; andtransfers a processing result to the management object apparatus, theprocessing result corresponding to the data processing request sent backfrom the owner-side apparatus, wherein the owner-side apparatus canaccess the commission condition storage unit in which a commissioncondition of the agent who uses the agent-side apparatus is previouslystored; authenticates authentication information when the authenticationinformation of the agent is received from the agent-side apparatus;performs data processing associated with decryption of the encryptiondata included in the permitted data processing request using apreviously registered key, when the authentication is normallyperformed, and when the data processing request falls within a range ofthe agent commission condition indicated by the commission conditionstorage unit, in receiving the data processing request from theagent-side apparatus; and transmits a processing result of the dataprocessing to the agent-side apparatus.